Hackers Backdoor Cisco VPN to Steal Customer Passwords

Hackers have begun infecting a widely used virtual private network (VPN) product sold by Cisco Systems and attackers have begun installing backdoors on these very product to steal customer usernames and passwords used to login to the networks, security researchers reported.

A security researcher from security firm Volexity reported that he was currently aware of about a dozen attacks that have successfully infected Cisco’s Clientless SSL VPN, but suspects the number to be much higher. Attacks appear to be carried out by numerous hackers that have been abusing two main entry points. Once hackers gain backdoor access, they can operate silently for months and steal sensitive credentials on and transferred through the network.

Cisco’s Clientless SSL VPN is a product that works with Cisco’s Adaptive Security Appliance. Once users have properly authenticated themselves on the network, the web-based VPN allows employees to access internal files along with launch plug-ins, allowing them access to other internal resources through telenet, SSH or other network protocols.

“This is certainly not a resource to which you want an attacker to gain access,” Volexity researchers wrote in a blog post published Wednesday. “Unfortunately, Volexity has found that several organizations are silently being victimized through this very login page.”

These reports come just a month after researchers from another security firm detected active and highly stealth attacks abusing network routers that Cisco provides. The backdoors were implanted on at least 79 routers spanning 19 countries, 25 of which were hosted in the USA.

The latest backdoors found on Cisco VPN’s are similar to the past SYNful Knock malware, that gave hackers access to a barrage of infection tools, however the newest backdoor isn’t quite as developed. It mainly consists of malicious JavaScript code that gets loaded into webpages that employees are logging into. The attack is quite hard to detect due to the JavaScript being hosted on an external webpage, accessed through an HTTPS connection. Researchers said the code found on devices differs from infection to infection, but it carries the same general traits.

Volexity researchers said the backdoor can be installed through at least two different entry points. The first being a critical vulnerability that resides in the Clientless SSL VPN that Cisco patched over a year ago. Attackers other point of entry relies on the hackers gaining administrator access on the machine and abusing it to drop malicious code.

Organizations affected by Cisco’s VPN attacks include think tanks, universities, academic institutions, worldwide electronic manufacturers and non-government organizations. To evade detection, the malicious JavaScript was being hosted on victims compromised websites and is called an HTML iframe tag which was inserted into the webpage which compromised users VPN credentials. In turn, the VPN connects to the compromised site and downloads the JavaScript over an encrypted connection.

A Cisco spokesperson said company officials are aware of issue Volexity reported while thanking their researchers for bringing awareness to patches they released 12 months ago. The Cisco official said that customers can best protect themselves from such threats by deploying the best firewall practices.

Volexity researchers released several suggestions for detecting and removing the backdoors and VPN infections. Since the backdoors easily evade antivirus software, intrusion prevention systems along with other security measures should actively be put in place while administrators should routinely ensure there are no signs of compromise.